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The Chief Executive 
All Authorized Institutions (AIs) 


Dear Sir/Madam, 


Implementation of Cyber Resilience Assessment Framework 


I am writing to provide you with additional information about the implementation of the 
Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity 
Fortification Initiative (CFI). 


The Hong Kong Monetary Authority (AKMA) launched the first phase of the C-RAF 
implementation in December 2016. 30 authorized institutions (Als) including all the 
major retail banks were requested to complete the C-RAF Inherent Risk Assessment 
and Maturity Assessment by end-September 2017 and the Intelligence-led Cyber Attack 
Simulation Testing (iCAST) by end-June 2018. 


The HKMA has recently sought the feedback of the industry regarding the experience in 
undertaking the C-RAF assessments. While AIs generally consider the exercise to be 
very useful in raising the level of their cyber resilience, there is a practical concern 
regarding whether there will be a sufficient supply of qualified C-RAF assessors if all 
the remaining Als are asked to undertake the C-RAF Inherent Risk Assessment and 
Maturity Assessment at the same time. The industry proposes that priority to undertake 
the C-RAF assessments be given to Als assessed to be of “High” or “Medium” inherent 
risk. 


Taking into account the industry’s feedback, the HKMA considers it appropriate to 
implement the C-RAF by two more phases as follows: 


(i) Second phase — This phase will cover 60 Als with a relatively higher inherent 
risk or a larger scale of operation among the remaining Als not covered in the 
first phase. These Als will be notified by the HKMA individually. The 
expected timeline for these Als to complete the C-RAF assessments is set out 
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e Inherent Risk Assessment and End-December 2018 
Maturity Assessment 


e iCAST (applicable for Als with a End-September 2019 
“High” or “Medium” inherent risk 
level) 


(ii) Third phase — This phase will cover all the remaining Als (around 90 Als) to be 
notified by the HKMA individually. They will be expected to complete the C- 
RAF Inherent Risk Assessment and Maturity Assessment by end-September 
2019, and iCAST (if applicable) by mid-2020. For newly authorized Als, the 
HKMaA will inform them of the timeline within which they should complete the 
C-RAF assessments. 


At the time of rolling out the first phase of C-RAF implementation, the HKMA, on the 
advice of an industry expert group, adopted a list of professional qualifications which 
were considered to be equivalent to the certifications provided under the Professional 
Development Programme (PDP) of the CFI. We understand from the industry that 
there are professionals who have the required expertise and are highly experienced in 
performing cybersecurity maturity assessments or cyber attack simulation tests, but do 
not currently possess the corresponding PDP certification or an equivalent qualification 
specified in the list. The HKMA is prepared to accept the appointment of these 
qualified professionals by Als to perform the C-RAF Inherent Risk Assessment, the 
Maturity Assessment or the iCAST, provided that a careful assessment of their 
expertise and experience is performed and the assessment result is properly documented. 
The list of equivalent qualifications will be reviewed in due course. 


Taking this opportunity, we would like to remind those AIs which have completed the 
C-RAF assessments to devote adequate management attention and resources to 
rectifying all the control gaps identified in the C-RAF assessments. They should put in 
place proper governance arrangements and processes to monitor the implementation 
process closely and keep their board of directors and senior management informed. 
They are also expected to evaluate the ongoing adequacy and effectiveness of their 
cybersecurity controls, having regard to the C-RAF and the latest cyber risk landscape. 


Should you have any questions regarding the implementation schedule of the C-RAF 


and the above-mentioned matters, please feel free to contact Mr Alvin Li on 2878-1458 
or Ms Kerrie Chan on 2878-1426. 


Yours faithfully, 


Raymond Chan 
Executive Director (Banking Supervision) 


